CN118337514A

CN118337514A - Method and device for detecting intrusion of automobile CAN (controller area network) network, electronic equipment and storage medium

Info

Publication number: CN118337514A
Application number: CN202410600070.4A
Authority: CN
Inventors: 赵剑; 汪想; 刘蓬勃
Original assignee: Dalian University of Technology
Current assignee: Dalian University of Technology
Priority date: 2024-05-15
Filing date: 2024-05-15
Publication date: 2024-07-12

Abstract

The embodiment of the disclosure provides an automobile CAN network intrusion detection method and device, electronic equipment and storage media, and relates to the technical field of automobile information security. The method comprises the following steps: acquiring a flow data packet on a CAN bus of a target vehicle in a normal running process, and establishing a normal flow data set according to the flow data packet; counting the ID of each flow data packet in the normal flow data set, and creating an original data set according to the ID of each flow data packet, the attack type and the normal flow data set; extracting ID and data domain information in an original data set as classification features, and establishing a feature data set according to the classification features; constructing a CAN network Stacking intrusion detection model of the target vehicle according to the characteristic data set; and inputting the ID and the data field information in the attack data set into a Stacking intrusion detection model, and predicting whether the CAN of the target vehicle has network intrusion according to the output result. The method provided by the disclosure CAN effectively improve the accuracy and stability of the intrusion detection of the automobile CAN network.

Description

Method and device for detecting intrusion of automobile CAN (controller area network) network, electronic equipment and storage medium

Technical Field

The disclosure relates to the technical field of intelligent network-connected automobile information security, in particular to an automobile CAN network intrusion detection method and device, electronic equipment and storage media.

Background

Along with the vigorous development of network technology and automobile technology, modern automobiles are more and more rich in intelligent functions, automobiles and external information are more and more frequently interacted, and the risk of intrusion of an on-board network is higher and higher. In the vehicle network, the CAN bus is widely used with the advantages of multiple main control, high reliability and low cost, but the CAN bus does not consider a network security protection mechanism at the beginning of design, so that the vehicle network security faces a great challenge.

At present, the CAN bus information security detection technology mainly comprises the following steps: data encryption, identity authentication, and intrusion detection. The first two methods mainly adopt encryption technology and authentication method to carry out security protection on CAN network data, isolate the CAN network data from an external system and avoid the entry of messages which do not accord with a communication protocol. And intrusion detection is performed based on data characteristics by designing a corresponding algorithm. The related technology is as follows:

Application publication number CN115314311a discloses a vehicle-mounted intrusion detection method and system based on a CAN bus data frame. The method comprises the steps of preprocessing information by using One-hot coding, constructing an intrusion detection model comprising a generator network and a discriminator network based on a GAN algorithm, and monitoring CAN network data transmission in real time by using a trained discriminator to protect vehicle safety.

Application publication number CN113612786B discloses an intrusion detection system and method for a vehicle bus. The method comprises the following steps: acquiring a CAN message, classifying CAN frames in the CAN message, checking the frame format of the CAN frames, checking the CRC codes of the CAN frames, inputting the CAN frames into a constructed countermeasure generation network model to perform anomaly detection, judging whether the CAN message is subjected to known attack or unknown attack, and alarming if the CAN message is subjected to the known attack or the unknown attack. The system comprises a CAN frame identification module, a frame format checking module, a CRC checking module and an countermeasure generation neural network detection module.

Application publication number CN109067773a discloses a vehicle-mounted CAN network intrusion detection method and system based on a neural network. The invention takes the sending frequency of CAN network data packets as the input of BP neural network, uses principal component analysis PCA to reduce the dimension of the data, detects the sending frequency of various CAN data packets, uses genetic algorithm to optimize the BP neural network, takes the data with correlation of engine speed, air inflow, speed and throttle valve as the input of BP neural network, judges whether the current network has abnormality and gives alarm.

Application publication number CN115051852a discloses a vehicle-mounted CAN bus intrusion detection algorithm based on deep learning. The method comprises the following steps: separating CAN ID and corresponding flag label in the data set, converting the separated CAN ID into decimal floating point number, dividing the data set with step length of 64, converting the divided CAN ID sequence into two-dimensional image by using GAF code, dividing training set and test set, and training the model.

Application publication number CN113162902B discloses a low-delay and safe vehicle-mounted intrusion detection method based on deep learning. The method comprises the following steps: and encoding arbitration bits of CAN traffic into a 2-D image by adopting independent thermal vector encoding, extracting CAN image characteristics by an encoder through a generated type countermeasure network, introducing random phase theta and imaginary number b to hide and confuse real characteristics, extracting depth characteristics by a processor at the cloud end by adopting a convolutional neural network and an attention mechanism, decoding the depth characteristics by a decoder, and identifying abnormal traffic by utilizing a shallow network.

Application publication number CN113824684A discloses a vehicle-mounted network intrusion detection method and system based on transfer learning. The invention extracts 29 continuous CAN IDs, converts an ID sequence into a feature matrix as input, extracts the time sequence characteristics of the feature matrix by a DenseNet-based detection model, extracts the time sequence characteristics of the feature matrix by a GAN-based detection model, judges whether the unknown attack characteristics are met, alarms and stores the unknown attack samples if the unknown attack characteristics are met, uses a PCA method to reduce the dimension when the stored samples reach a certain number, uses a Meanshift method to classify the dimension-reduced samples, and obtains an unknown attack data set with pre-classification, thereby completing updating of an intrusion detection system.

Application publication number CN114157469a discloses a vehicle network variant attack intrusion detection method and system based on domain antagonistic neural network. The method comprises the steps of acquiring normal data on a real vehicle by utilizing USB-CANTOOL software, selecting ID and data segments of an injected attack, dividing the acquired data set into a source domain data set, a target domain data set and a test data set, extracting data segments of 25 continuous CAN messages, outputting final characteristics after the characteristics obtained by the modules with different convolution kernel sizes are spliced, taking the characteristics of the known attack as input, and judging the attack type for output.

The research of a vehicle-mounted CAN network intrusion detection system based on a neural network proposes an intrusion detection method based on the neural network, and tamper, replay and injection attacks are handled by utilizing a neural network model by analyzing the bus characteristics and the ECU characteristics of the CAN network.

Research and implementation of intelligent network-connected automobile safety gateway technology provides a safety gateway bus defense mechanism based on judging whether the safety gateway bus defense mechanism is abnormal or not by adopting a mixed message authentication code and a bidirectional challenge authentication strategy.

The research and implementation of defending technology for networking automobile in-car networks provides a dynamic encryption data method for a vehicle-mounted Ethernet based on a moving target defending idea, an intrusion detection scheme based on the theoretical knowledge of a vehicle-mounted CAN network communication matrix is provided, and the characteristics of in-car communication data are combined to protect the automobile network.

The safety mechanism research facing the information safety problem of the Internet of vehicles proposes a lightweight certificate-free public key authentication system based on identity and a vehicle group key management mechanism, and can effectively detect and defend attack messages.

The research and implementation of the network-connected automobile intrusion detection system provides a CAN network-based intrusion detection system based on intrusion detection rules of byte level and bit level, which comprises modules of data acquisition, data preprocessing, intrusion detection engine, recording and alarming, rule updating and the like.

According to the intrusion detection research of the vehicle-mounted network based on the association rule, an intrusion detection scheme of the CAN network based on the period is provided, and the association and the characteristics of message data of the automobile network are analyzed from the angle of data mining, so that the association and the characteristics between ECUs are found in the data, and whether an attack exists is judged.

A CAN network anomaly detection method based on Renyi information entropy provides an anomaly detection model based on Renyi information entropy and Renyi divergence, and the anomaly of data domain information is monitored from the aspects of ID characteristics, entropy values or message periodicity so as to ensure the safety of an automobile CAN network.

The LSTM network-based vehicle-mounted CAN network anomaly detection research provides a LSTM network-based vehicle-mounted CAN network anomaly detection model, and the method CAN effectively detect replay attack and frame counterfeiting.

The AdaBoost algorithm-based vehicle-mounted CAN network message anomaly detection provides a vehicle-mounted CAN network message anomaly detection model based on the AdaBoost algorithm, a CART decision tree is adopted as a basic weak classifier, 64 bits of a message data field are divided into 8 bytes and are respectively input into the model, and whether the message is abnormal or not is judged.

A vehicle network anomaly detection method based on a support vector machine provides an automobile CAN network intrusion detection algorithm based on the support vector machine, takes the information entropy of each byte of a data field as the input of the support vector machine, and judges whether the vehicle network anomaly detection method is abnormal.

The CAN-FD network anomaly intrusion detection based on the support vector machine provides a scheme based on the support vector machine for detecting CAN-FD messages, time information, message identifier ID information and 48 data field information are used as models to be input into a training model, and a classification model is obtained to detect anomalies of a CAN bus.

Combining the specific conditions of intelligent network-connected automobile driving and vehicle-mounted network, the technology has a plurality of defects: the encryption technology CAN involve adjusting CAN communication protocol, changing the information format of CAN frame, which is unfavorable for practical implementation; the encryption and decryption processes and the identity authentication processes of the data CAN increase the calculation load of the ECU, influence the real-time performance of the vehicle-mounted network communication, and cause that a certain message occupies the CAN network for too long; the intrusion detection system is faced with various algorithms, and how to adapt to a machine algorithm and how to improve the accuracy is still a difficult problem. The principle and sensitivity to data of each algorithm are different, and for the same classification problem, training errors and generalization errors of the model may be different, which causes difficulty in prediction and decision. The Stacking integrated learning can integrate a plurality of sub learners, and the error is compensated by utilizing the output of the group learners, so that the Stacking integrated learning has higher decision performance and generalization capability compared with a single model. At present, related research of the application of Stacking integrated learning to the intrusion detection of the automobile CAN network is not reported yet.

Disclosure of Invention

The method for detecting the intrusion of the automobile CAN network CAN effectively improve the accuracy and stability of the intrusion detection of the automobile CAN network.

According to a first aspect of an embodiment of the present disclosure, there is provided an intrusion detection method for an automobile CAN network, the method including:

Acquiring a flow data packet on a CAN bus of a target vehicle in a normal running process, and establishing a normal flow data set according to the flow data packet;

counting the ID of each flow data packet in the normal flow data set, and creating an original data set according to the ID of each flow data packet, the attack type and the normal flow data set;

Extracting ID and data domain information in the original data set as classification features, and establishing a feature data set according to the classification features;

constructing a CAN network Stacking intrusion detection model of the target vehicle according to the characteristic data set;

And inputting the ID and the data field information in the attack data set into a Stacking intrusion detection model, and predicting whether the CAN of the target vehicle has network intrusion according to an output result.

In one embodiment, the constructing the CAN network Stacking intrusion detection model of the target vehicle from the feature data set includes:

Randomly extracting part of characteristic data in the characteristic data set according to a preset proportion to serve as a training set S, and the rest of characteristic data serves as a test set P;

Dividing the training set into n+1 subsets S1, S2, … and Sn+1, and sequentially selecting the training base classifiers of the first i subsets; the base classifier comprises a support vector machine base classifier, a random forest base classifier, a k-nearest neighbor algorithm base classifier and a multi-layer perception base classifier;

predicting the (i+1) th subset by using the trained base classifier, outputting a prediction result, and repeating the process for n times to obtain all the prediction results of the base classifier;

combining all the prediction results to obtain a target training set N;

And training a gradient decision tree classifier by using the target training set N to obtain a CAN network Stacking intrusion detection model of the target vehicle.

In one embodiment, the inputting the ID and the data field information in the feature data set into a Stacking intrusion detection model, and predicting whether the CAN of the target vehicle has a network intrusion according to the output result includes:

Estimating the test set P by using a CAN network Stacking intrusion detection model of the target vehicle to obtain an intrusion detection result;

respectively inputting the ID and the data domain information in the characteristic data set into the support vector machine base classifier, the random forest base classifier, the k nearest neighbor algorithm base classifier and the multi-layer perception base classifier to obtain a test value P1, a test value P2, a test value P3 and a test value P4;

Respectively inputting the test value P1, the test value P2, the test value P3 and the test value P4 as CAN message characteristics into a CAN network Stacking intrusion detection model of the target vehicle, and estimating an abnormal state of a corresponding CAN message according to an output result;

Predicting whether network intrusion exists in the CAN of the target vehicle according to the abnormal state of the corresponding CAN message.

In one embodiment, the predicting the (i+1) th subset by using the trained base classifier, and outputting a prediction result, and repeating the above steps n times, so as to obtain all the prediction results of the base classifier, where before the method further includes:

respectively inputting the data in the test set P into the support vector machine base classifier, the random forest base classifier, the k neighbor algorithm base classifier and the multi-layer perception machine base classifier;

and respectively evaluating the support vector machine base classifier, the random forest base classifier, the k neighbor algorithm base classifier and the multi-layer perception base classifier according to the output result and the evaluation index.

In one embodiment, before the test values P1, P2, P3, and P4 are input as CAN packet characteristics to the CAN network Stacking intrusion detection model of the target vehicle, and the abnormal state of the corresponding CAN packet is estimated according to the output result, the method further includes:

Inputting the data in the test set P to a CAN network Stacking intrusion detection model of the target vehicle;

and evaluating the CAN network Stacking intrusion detection model of the target vehicle according to the output result and the evaluation index.

In one embodiment, the evaluation index comprises at least one of ROC curve, AUC area, and accuracy.

According to a second aspect of embodiments of the present disclosure, there is provided an automotive CAN network intrusion detection apparatus, the apparatus comprising:

the acquisition module acquires a flow data packet on the CAN bus in the normal running process of the target vehicle, and establishes a normal flow data set according to the flow data packet;

The statistics module is used for counting the ID of each flow data packet in the normal flow data set and creating an original data set according to the ID of each flow data packet, the attack type and the normal flow data set;

The extraction module is used for extracting ID and data domain information in the original data set as classification features and establishing a feature data set according to the classification features;

The construction module is used for constructing a CAN network Stacking intrusion detection model of the target vehicle according to the attack data set and the characteristic data set;

and the prediction module inputs the ID and the data field information in the characteristic data set into a Stacking intrusion detection model, and predicts whether the CAN of the target vehicle has network intrusion according to an output result.

In one embodiment, the building block comprises:

the extraction submodule randomly extracts part of characteristic data in the characteristic data set according to a preset proportion to serve as a training set S, and the rest of characteristic data serves as a test set P;

Dividing the training set into n+1 subsets S1, S2, … and Sn+1 by a sub-module, and sequentially selecting the training base classifiers of the first i subsets; the base classifier comprises a support vector machine base classifier, a random forest base classifier, a k-nearest neighbor algorithm base classifier and a multi-layer perception base classifier;

the prediction sub-module predicts the (i+1) th sub-set by using the trained base classifier, outputs a prediction result, and repeatedly performs the above steps for n times to obtain all the prediction results of the base classifier;

The combination sub-module is used for combining all the prediction results to obtain a target training set N;

And the training sub-module is used for training a gradient decision tree classifier by using the target training set N to obtain the CAN network Stacking intrusion detection model of the target vehicle.

In a third aspect of the embodiment of the present application, there is provided a computer apparatus including: comprising a memory storing a computer program and a processor implementing the steps of any of the methods described above when the processor executes the computer program.

In a fourth aspect of the embodiments of the present application, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the method of any of the above.

According to the automobile CAN network intrusion detection method, the Stacking intrusion detection model is established based on the ID and the data domain characteristics of the real automobile CAN message, the Stacking intrusion detection model synthesizes the prediction results of the four base classifiers, and the four base classifiers are subjected to parameter optimization through the tree structure Parzen estimator and the cross verification, so that the accuracy and the stability of the automobile CAN network intrusion detection are effectively improved.

Drawings

Fig. 1 is a flowchart of an intrusion detection method for an automobile CAN network according to an embodiment of the present disclosure.

Fig. 2 is a flowchart of an intrusion detection method for an automobile CAN network according to an embodiment of the present disclosure.

Fig. 3 is a logic diagram of an intrusion detection method for an automobile CAN network according to an embodiment of the present disclosure.

Fig. 4 is a schematic diagram of an automotive CAN network intrusion detection device according to an embodiment of the present disclosure.

Fig. 5 is a schematic diagram of an intrusion detection device for an automobile CAN network according to an embodiment of the present disclosure.

Fig. 6 is a schematic structural diagram of a computer device according to an embodiment of the present disclosure.

Detailed Description

Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus consistent with some aspects of the disclosure as detailed in the accompanying claims.

As shown in fig. 1, the method includes:

Step 101, acquiring a flow data packet on a CAN bus of a target vehicle in a normal running process, and establishing a normal flow data set according to the flow data packet;

In the step, a real-time communication flow data packet on a CAN bus of a target vehicle in a normal running process is collected through an on-board OBD-II port, the collection time is 10 minutes, and the data packet is stored into a normal data flow data set.

Step 102, counting the ID of each flow data packet in the normal flow data set, and creating an original data set according to the ID of each flow data packet, the attack type and the normal flow data set;

In the step, a denial of attack data set is constructed by injecting high-priority data frames into a normal flow data set; constructing a replay attack data set by injecting repeated messages in the normal traffic data set; an injection attack data set is constructed by injecting illegal messages in a normal flow data set; and randomly discarding the normal message in the normal flow data set to construct a discarded attack data set, and finally obtaining an original data set comprising the normal flow data set, the refused attack data set, the repeated attack data set, the injected attack data set and the discarded attack data set.

Illustratively, counting each ID data packet of the normal data traffic data set to obtain 55 IDs of the electronic control units in the vehicle, and constructing a denial of attack data set by injecting high-priority data frame id=0x000 into the normal traffic data set; constructing a replay attack data set by injecting id=0x0ba, id=0x2c1, id=0x2c4 repeat messages in the normal traffic data set; constructing an injection attack data set by injecting id=0x001, id=0x010, id=0x100 illegal messages in the normal traffic data set; constructing a discard attack data set by randomly discarding id=0x2d0, id=0x2d5, id=0x3b3 normal messages in the normal traffic data set; finally, the original data set comprising the normal class data set, the denial of attack data set, the repeated attack data set, the injection attack data set and the discard attack data set is obtained.

Step 103, extracting ID and data domain information in the original data set as classification features, and establishing a feature data set according to the classification features;

In this step, the ID and the data domain information in the original dataset are extracted as classification features, respectively, to obtain a feature dataset.

104, Constructing a CAN network Stacking intrusion detection model of the target vehicle according to the characteristic data set;

In the step, stacking intrusion detection models are overlapped by two layers of models, a first layer of base classifier is a support vector machine base classifier, a random forest base classifier, a k neighbor algorithm base classifier and a multi-layer perception machine base classifier, and a second layer of element classifier is a gradient lifting decision tree, prediction probabilities of the four base classifiers are stacked to form a new feature set, and training is carried out on the new feature set to obtain a final integrated model.

As shown in fig. 2, the constructing a CAN network Stacking intrusion detection model of the target vehicle according to the feature data set includes:

Step 201, randomly extracting part of characteristic data in the characteristic data set according to a preset proportion to serve as a training set S, and the rest of characteristic data serve as a test set P;

For example, 60% of the feature data in the feature data set may be randomly extracted as the training set S, and 40% of the feature data may be randomly extracted as the test set P in the present embodiment.

Step 202, dividing the training set into n+1 subsets S1, S2, … and Sn+1, and sequentially selecting the training base classifiers of the first i subsets; the base classifier comprises a support vector machine base classifier, a random forest base classifier, a k-nearest neighbor algorithm base classifier and a multi-layer perception machine base classifier; wherein N and i are natural numbers, and N is not less than 1, i is not less than 1.

In the step, a support vector machine base classifier prediction model, a random forest base classifier prediction model, a k-nearest neighbor algorithm base classifier prediction model and a multi-layer perception machine base classifier prediction model are required to be respectively established, and the specific establishment method is as follows:

A Support Vector Machine (SVM) prediction model is established, and the specific method is as follows: the data in the training set S is brought into a support vector machine model for training, a tree structure Parzen estimator is used for carrying out cross validation, then the optimal super parameters of the SVM model are obtained through searching, wherein the important parameter penalty parameter c is 0.1, the kernel function (kernel) is precomputed, the kernel function parameter (gamma) is auto, and the support vector machine model is built based on the training set data by utilizing the optimal parameter combination obtained through searching.

A Random Forest (RF) prediction model is established, and the specific method is as follows: the data in the training set S is brought into a support random forest model for training, a tree structure Parzen estimator and cross verification are utilized, then the optimal super parameters of the random forest model are obtained through screening, wherein the number (n_ estimators) of basic decision trees is 100, the maximum depth (max_depth) of each basic decision tree model is 100, the Boolean value (boottrap) is True, namely, the training data of the decision trees are generated by using a sampling method bootstrapsampling, and the random forest model is built by utilizing the optimal parameter combination obtained through searching based on the training set data.

The k nearest neighbor algorithm (KNN) prediction model is established, and the specific method is as follows: the data in the training set S is brought into a k-nearest neighbor algorithm for training, a tree structure Parzen estimator is utilized, and optimal super parameters of the k-nearest neighbor algorithm are obtained through screening after cross validation, wherein the number of nearest neighbor samples (n_nearest bors) is 10, voting weights (weights) of the nearest neighbor samples are designated as 'uniforms', namely voting weights of all the nearest neighbor samples are consistent, a searching algorithm (algorithm) of the nearest neighbor samples is designated as 'kd_tree', the minimum sample quantity (leaf_size) contained in leaf nodes of the tree is designated as 30, and a k-nearest neighbor algorithm model is established based on the training set data through the optimal parameter combination obtained through searching.

A multi-layer perceptron (MLP) prediction model is established, and the specific method is as follows: and (3) carrying out training by taking the data in the training set S into a multi-layer perceptron, and screening to obtain optimal super parameters of the multi-layer perceptron after a Parzen estimator with a tree structure and cross verification, wherein the number of hidden layers (hidden_layer_ sizes) is 5, the number of hidden layers of each layer comprises nodes of which the number is 32, 64 and 128 respectively, an optimization mode (solver) is adam, and a multi-layer perceptron model is built by utilizing the optimal parameter combination obtained by searching based on the training set data.

Step 203, predicting the (i+1) th subset by using the trained base classifier, outputting a prediction result, and repeating the steps for n times to obtain all the prediction results of the base classifier;

In the step, the i+1st data subset is predicted by using a trained support vector machine base classifier prediction model, a random forest base classifier prediction model, a k neighbor algorithm base classifier prediction model and a multi-layer perceptron base classifier respectively, a prediction result is output, and the steps are repeated n times to obtain all the prediction results of the support vector machine base classifier prediction model, the random forest base classifier prediction model, the k neighbor algorithm base classifier prediction model and the multi-layer perceptron base classifier.

204, Combining all the prediction results to obtain a target training set N;

in the step, all prediction results are output as new feature sets, m base classifiers are correspondingly verified for m times to obtain m new features, namely m new feature sets, and then the new feature sets are combined to obtain a training set N.

And 205, training a gradient decision tree classifier by using the target training set N to obtain a CAN network Stacking intrusion detection model of the target vehicle.

It CAN be understood that, in this step, before training the gradient decision tree classifier by using the target training set N to obtain the CAN network Stacking intrusion detection model of the target vehicle, a gradient decision tree classifier model needs to be established.

The method for establishing the gradient decision tree classifier model comprises the following steps of: the training set data is brought into a gradient lifting decision tree for training, and the optimal super parameters of the gradient lifting decision tree are obtained through a tree structure Parzen estimator and cross verification and then are obtained through screening, wherein the maximum iteration number (n_ estimators) is 100, the learning rate (learning_rate) is 1, the subsampling (subsampling) is 0.5, the loss function (loss) is deviance, and a gradient decision tree classifier model is established based on the training set data through the optimal parameter combination obtained through searching.

And 105, inputting the ID and the data field information in the attack data set into a Stacking intrusion detection model, and predicting whether the CAN of the target vehicle has network intrusion according to an output result.

Optionally, the method predicts the (i+1) th subset by using the trained base classifier, outputs a prediction result, and repeats the above steps n times, so as to obtain all the prediction results of the base classifier, before the method further includes:

Optionally, before the test value P1, the test value P2, the test value P3, and the test value P4 are used as CAN message characteristics to be input into the CAN network Stacking intrusion detection model of the target vehicle, and the abnormal state of the corresponding CAN message is estimated according to the output result, the method further includes:

Inputting data in the test set P to a CAN network Stacking intrusion detection model of the target vehicle;

Wherein the evaluation index includes at least one of ROC curve, AUC area, and accuracy.

In this embodiment, according to the output result and the evaluation index, the results obtained by evaluating the support vector machine base classifier, the random forest base classifier, the k-nearest neighbor algorithm base classifier, the multi-layer perception base classifier and the Stacking intrusion detection model are shown in table 1 below.

TABLE 1

From the data in table 1, it can be seen that: the accuracy of the random forest-based classifier RF is highest, the testing accuracy is 88.51%, the area under the curve AUC value is 0.98, the rate is 88.51%, the area under the curve AUC value is 0.98, the prediction accuracy of the integrated Stacking intrusion detection model CAN reach 92.18%, the prediction effect is better than that of a single model, the Stacking intrusion detection model in the embodiment integrates the advantages of four classification models, the method is more stable and reliable, the accuracy and coverage capability of the automobile CAN network intrusion detection are more comprehensive and balanced, and the reliability and the predictive power are higher.

Fig. 4 is a schematic diagram of an intrusion detection device for an automobile CAN network according to an embodiment of the present disclosure. As shown in fig. 4, the apparatus includes: an acquisition module 401, a statistics module 402, an extraction module 403, a construction module 404 and a prediction module 405; the acquiring module 401 is configured to acquire a traffic data packet on a CAN bus during normal driving of a target vehicle, and establish a normal traffic data set according to the traffic data packet; the statistics module 402 is configured to count an ID of each of the traffic data packets in the normal traffic data set, and create an original data set according to the ID of each of the traffic data packets, an attack type, and the normal traffic data set; the extraction module 403 is configured to extract ID and data domain information in the original dataset as classification features, and establish a feature dataset according to the classification features; the construction module 404 is configured to construct a CAN network Stacking intrusion detection model of the target vehicle according to the attack data set and the feature data set; the prediction module 405 is configured to input the ID and the data field information in the feature data set into a Stacking intrusion detection model, and predict whether a network intrusion exists in the CAN of the target vehicle according to the output result.

Fig. 5 is a schematic diagram of an intrusion detection device for an automobile CAN network according to an embodiment of the present disclosure. As shown in fig. 5, the apparatus includes: an acquisition module 501, a statistics module 502, an extraction module 503, a construction module 504 and a prediction module 505; wherein the building module 504 comprises an extraction submodule 5041, a division submodule 5042, a prediction submodule 5043, a combination submodule 5044 and a training submodule 5045; the extracting submodule 5041 is configured to randomly extract part of feature data in the feature data set according to a preset proportion as a training set S, and the rest of feature data as a test set P; the dividing sub-module 5042 is configured to divide the training set into n+1 subsets S1, S2, …, sn+1, and sequentially select the first i subsets of training base classifiers; the base classifier comprises a support vector machine base classifier, a random forest base classifier, a k-nearest neighbor algorithm base classifier and a multi-layer perception base classifier; the prediction submodule 5043 is used for predicting the (i+1) th subset by using the trained base classifier, outputting a prediction result, and repeating the process for n times to obtain all the prediction results of the base classifier; the combining sub-module 5044 is configured to combine all the prediction results to obtain a target training set N; the training sub-module 5045 is configured to train the gradient decision tree classifier by using the target training set N, and obtain a CAN network Stacking intrusion detection model of the target vehicle.

The present disclosure also provides a computer device whose internal structural diagram may be as shown in fig. 6. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is for storing data. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program, when executed by a processor, implements an automotive CAN network intrusion detection method as described above. Comprising the following steps: the method comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes any step in the automobile CAN network intrusion detection method when executing the computer program.

The present disclosure also provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, CAN implement any of the steps of automotive CAN network intrusion detection as above.

Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the method embodiments described above may be performed by hardware associated with program instructions. The foregoing program may be preset in a computer readable storage medium. The program, when executed, performs steps including the method embodiments described above; and the aforementioned storage medium includes: various media that can store program code, such as ROM, RAM, magnetic or optical disks.

Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This disclosure is intended to cover any adaptations, uses, or adaptations of the disclosure following the general principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

It is to be understood that the present disclosure is not limited to the precise arrangements and instrumentalities shown in the drawings, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims

1. An intrusion detection method for an automobile CAN network, comprising:

2. The method of claim 1, wherein constructing a CAN network Stacking intrusion detection model of the target vehicle from the feature dataset comprises:

combining all the prediction results to obtain a target training set N;

3. The method of claim 2, wherein inputting the ID and data field information in the feature dataset into a Stacking intrusion detection model and predicting whether a network intrusion exists in the CAN of the target vehicle based on the output result comprises:

4. A method according to claim 3, wherein the predicting the i+1st subset by using the trained base classifier and outputting the predicted result is repeated n times, and before obtaining all the predicted results of the base classifier, the method further comprises:

5. The method of claim 4, wherein before inputting the test value P1, the test value P2, the test value P3, and the test value P4 as CAN message characteristics into the CAN network Stacking intrusion detection model of the target vehicle, and estimating an abnormal state of a corresponding CAN message according to an output result, the method further comprises:

6. The method of claim 4 or 5, wherein the evaluation index comprises at least one of ROC curve, AUC area, and accuracy.

7. An automotive CAN network intrusion detection device, the device comprising:

8. The apparatus of claim 7, wherein the build module comprises:

9. A computer device, comprising: comprising a memory and a processor, said memory storing a computer program, characterized in that the processor implements the steps of the method according to any one of claims 1 to 8 when said computer program is executed.

10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 8.